Bug 2492785 (CVE-2026-53147) - CVE-2026-53147 kernel: thunderbolt: Validate XDomain request packet size before type cast
Summary: CVE-2026-53147 kernel: thunderbolt: Validate XDomain request packet size befo...
Keywords:
Status: NEW
Alias: CVE-2026-53147
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-25 10:05 UTC by OSIDB Bzimport
Modified: 2026-06-26 08:13 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-25 10:05:36 UTC
In the Linux kernel, the following vulnerability has been resolved:

thunderbolt: Validate XDomain request packet size before type cast

tb_xdp_handle_request() casts the received packet buffer to
protocol-specific structs without verifying that the allocation
is large enough for the target type.  A peer can send a minimal
XDomain packet that passes the generic header length check but is
shorter than the struct accessed after the cast, causing out-of-
bounds reads from the kmemdup allocation.

Plumb the packet length through xdomain_request_work and validate
it against the expected struct size before each cast.


Note You need to log in before you can comment on or make changes to this bug.